Online investment scams are a global, growing, and uniquely pernicious threat. In newly released data, the Federal Trade Commission attributed more than $4.6 billion of US fraud losses in 2023 to investment scams, more than any other fraud category, and a 21% increase in 2022. The FBI’s 2023 Internet Crime Report notes that investment scams were “once again the costliest type of crime tracked by IC3”.
Many investment scams rely on sophisticated fraudulent investment websites that operate a fake trading platform to trick victims into depositing money after being lured in through email, social media posts or fake ads. In January alone, Netcraft detected and blocked almost 13,000 fake investment platform domains across more than 7,000 IPs: the largest number of IPs since we began tracking the platforms independently and 25% more than in December.
Online investment scams promise very high returns with no risks attached, claiming to deliver once-in-a-lifetime opportunities for investors to make guaranteed returns overnight. Usually claiming to trade in forex, cryptocurrency, or other high-risk assets, the unsuspecting investor needs only to make an initial payment to take advantage. These guarantees are meaningless, the claimed investment is a sham, and the victim’s money is lost. The impacts on victims can be devastating both financially and emotionally.
In this blog post, we will take a deep dive into how the cybercriminals behind these scam websites find victims, operate fake trading platforms, deploy social engineering tactics, and eventually trick victims into depositing substantial amounts of money.
Fake investment platforms are advertised through a myriad of channels. Many are spread through social media platforms like Meta or messaging apps like WhatsApp and Telegram. Reports to Netcraft from our community confirm this.
One frequently observed technique works by inviting the victim to a group chat, whose members contain self-proclaimed “experts” or “financial analysts”. These experts claim to be sharing trading signals and strategies. In reality, they are bots simply following scripted conversations, where various fake users ask questions and other fake users praise the analysts for their investment advice. These chats – like the one shown below – are designed to trick the victim into thinking that this is a legitimate group where users have made money by following the advice.
Figure 1 A WhatsApp invitation to join an investment group that will “teach you how to earn huge profits in the crypto-currency market”
Cybercriminals also email users, claiming they can provide consistent, high-yield returns on their investments.
Figure 2 Fraudster’s opening email advertising a fake investment platform.
A user replying indicates to the criminal that they have some buy-in and are a potential victim. The criminal will subsequently provide the fake investment platform’s URL – for example:
Figure 3 Follow-up email that reveals the URL for the fake investment platform
Despite a convincing-sounding domain (excel-nvest.com), the website is fraudulent. Some of the telltale signs are the tiered levels of investment on offer, as well as the unrealistic return on investment (ROI).
Figure 4 The fake investment platform excel-nvest[.]com offers tiered accounts and promises unrealistic ROI.
Another approach involves combining these investment scams with Advance-Fee Fraud, in which the victim is tricked into making upfront payments under false pretenses. In these cases, the criminals operating fake investment platforms often claim that there are ‘invested inheritance funds’ (or similar) that can be claimed, but a fee must be paid beforehand – for example:
Figure 5 Fraudulent email containing a link to a fake investment platform.
This email contains the URL of the fake investment platform and a corresponding username/password combination. The details in the email are designed to convince the recipient that they are dealing with a legitimate organization. Once they have logged into the website, they are presented with a dashboard that shows a snapshot of the investor’s profile.
Many of the fake investment platforms Netcraft has detected and blocked feature a professional-looking financial dashboard, like the one shown below, with graphs, charts, and the victim’s current balance and projected returns. Templates for designing these platforms are openly advertised online, often as “high-yield investment programs” (HYIPs). We have seen hundreds of these templates across various sites, including otherwise legitimate website template marketplaces.
Figure 6 A fake investment platform’s dashboard interface. Taken from a victim’s review.
The dashboards convince victims to think that they are trading real assets, such as forex or cryptocurrency. However, first-hand accounts from scammers involved in this type of fraud reveal that these trades are not backed by real assets. The illusion of real trading is created by combining techniques, all designed to maximize the amount of money victims deposit into these sites:
Regardless of the tactics adopted, once the victim invests heavily and then attempts to withdraw a large amount of funds, the site operator or account manager will present excuses to explain why this is not possible. Eventually, contact will stop altogether, leaving the victim massively out of pocket.
Netcraft is the world leader in detecting and blocking online fraud, including phishing, brand infringement, malware command and control, cryptocurrency investment scams, and fake investment platforms. We have recently partnered with ASIC, Australia’s financial regulator, as it develops a scam and phishing website takedown capability as part of its Fighting Scams initiative.
You can report fake investment platforms you encounter (or any other kind of scam website) directly to Netcraft, or by using the Netcraft Browser Extension or App.
Netcraft’s cybercrime detection and disruption services operate 24/7 to discover fake investment platforms, fraud, phishing, and other cyber attacks through extensive automation, AI, machine learning, and human insight. Our disruption & takedown service ensures malicious content is blocked and removed quickly and efficiently—typically within hours.
Click to Open Code Editor